Authentication and Key Exchange in Solaris Secure Shell

The Solaris Secure Shell protocols, v1 and v2, both support client user/host authentication
and server host authentication. Both protocols involve the exchange of session
cryptographic keys for the protection of Solaris Secure Shell sessions. Each protocol provides
various methods for authentication and key exchange. Some methods are optional. Solaris Secure Shell supports
a number of client authentication mechanisms, as shown in Table 19–1. Servers are authenticated
by using known host public keys.

For the v1 protocol, Solaris Secure Shell supports user authentication with passwords.
The protocol also supports user public keys and authentication with trusted
host public keys. Server authentication is done with a host public key. For
the v1 protocol, all public keys are RSA keys.
Session key exchanges involve the use of an ephemeral server key that is periodically
regenerated.

For the v2 protocol, Solaris Secure Shell supports user authentication and generic
interactive authentication, which usually involves passwords. The protocol
also supports authentication with user public keys and with trusted host public
keys. The keys can be RSA or DSA.
Session key exchanges consist of Diffie-Hellman ephemeral key exchanges that
are signed in the server authentication step. Additionally, Solaris Secure Shell can use
GSS credentials for authentication.

Acquiring GSS Credentials in Solaris Secure Shell

To use GSS-API for authentication in Solaris Secure Shell,
the server must have GSS-API acceptor credentials and the client must have
GSS-API initiator credentials. Support is available for mech_dh and
for mech_krb5.

For mech_dh,
the server has GSS-API acceptor credentials if root has
run the keylogin command.

For mech_krb5,
the server has GSS-API acceptor credentials when the host principal that corresponds
to the server has a valid entry in /etc/krb5/krb5.keytab.

The client has initiator credentials for mech_dh if
one of the following has been done:

The keylogin command has been run.

The pam_dhkeys module is used in the pam.conf file.

The client has initiator credentials for mech_krb5 if
one of the following has been done: